Affected Versions: < 3.4.3, < 3.3.14
Patched Versions: 3.4.3+, 3.3.14+
Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server
A user with
admin access to the
system resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all Rundeck editions.
Available in Rundeck 3.4.3+ and 3.3.14+
As a user with admin access, always avoid following untrusted links.
Scan outbound URL requests from the Rundeck server for untrusted destinations or content.
To disable the vulnerability completely in Rundeck, deny admin level access to system resource to all users. This can be done by adding the following ACLPolicy file. This has side effects of disabling other admin level actions to the application, but will mitigate the issue.
description: Deny system admin access to all users
context: application: 'rundeck' for: resource: - equals: kind: 'system' deny: 'admin' by: group: '.*'
For more information
If you have any questions or comments about this advisory:
- Email us at firstname.lastname@example.org
To report security issues to Rundeck please use the form at https://rundeck.com/security